1/18/17

1

Issue Date:

Revision:

APNIC eLearning:Internet Routing Registry18 January 201701:00 PM AEST Brisbane (UTC+10)

02 July 2016

1.0

Introduction

• Presenter

• Reminder: Please take time to fill-up the survey

Sheryl HermosoTraining Officersheryl@apnic.net

Specialties: Network SecurityIPv6 DNS/DNSSECInternet Resource Mgmt

2

1/18/17

2

Overview

• What is Routing Policy• IRR Database & Objects• Routing policy documentation in IRR database

• RPSL (Routing Policy Specification Language)• IRRToolSet to generate router configuration

3

Routing Policy

• Public description of the relationship between external BGP peers

• Can also describe internal BGP peer relationship

• Usually registered at an IRR (Internet Routing Registry) such as RADB or APNIC

4This document is uncontrolled when printed. Before use, check the APNIC electronic master

document to verify that this is the current version.

1/18/17

3

Routing Policy

• Who are my BGP peers • What routes are

– Originated by a peer– Imported from each peer– Exported to each peer– Preferred when multiple routes exist

• What to do if no route exists

5This document is uncontrolled when printed. Before use, check the APNIC electronic master

document to verify that this is the current version.

Why define a Routing Policy

• Documentation • Provides routing security

– Can peer originate the route?– Can peer act as transit for the route?

• Allows automatic generation of router configurations

• Provides a debugging aid– Compare policy versus reality

6This document is uncontrolled when printed. Before use, check the APNIC electronic master

document to verify that this is the current version.

1/18/17

4

The Internet Routing Registry (IRR)

• Number of public databases that contain routing policy information which mirror each other:– APNIC, RIPE, RADB, JPIRR, Level3– http://www.irr.net/

• Stability and consistency of routing – network operators share information

• Both public and private databases • These databases are independent – but some exchange

data– only register your data in one database

• List of Routing Registry– http://www.irr.net/docs/list.html

7This document is uncontrolled when printed. Before use, check the APNIC electronic master

document to verify that this is the current version.

The Internet Routing Registry (IRR)

• IRRs are used in at least three distinct ways– To publish your own routing intentions– To construct and maintain routing filters and router configurations– Diagnostic and information service for more general network

management

8This document is uncontrolled when printed. Before use, check the APNIC electronic master

document to verify that this is the current version.

1/18/17

5

IRR Objects query

9This document is uncontrolled when printed. Before use, check the APNIC electronic master

document to verify that this is the current version.

• whois query from cli

• You can search from APNIC website alsowhois -h whois.apnic.net 2406:6400::/32

IRR objects query flags

10This document is uncontrolled when printed. Before use, check the APNIC electronic master

document to verify that this is the current version.

• IRR supports a number of flag option– ! RADB Query Flags– - RIPE/BIRD Query Flags

• -i flags for inverse query– whois -h whois.apnic.net -i mnt-by MAINT-AU-APNICTRAINING[All the objects with a matching mnt-by attribute]

– whois -h whois.apnic.net -i origin as17821[route and route6 objects with a matching origin attribute]

• -q flag for Informational queries– whois -h whois.apnic.net -q sources

[list of sources]

whois -h whois.apnic.net -i mnt-by MAINT-AU-APNICTRAINING

whois -h whois.apnic.net -i origin as17821

whois -h whois.apnic.net -q sources

1/18/17

6

IRR objects query flags

11This document is uncontrolled when printed. Before use, check the APNIC electronic master

document to verify that this is the current version.

• -K flags for primary keys of an object are returned– whois -h whois.apnic.net -K 2406:6400::/32

• IRRd (IRR Daemon) supports service side set expansions (as-set and route-set)– whois -h whois.radb.net '!iAS-APNICTRAINING’[returns members of AS-APNICTRAINING as-set object]

• For details please check– https://www.apnic.net/apnic-info/whois_search/using-

whois/searching/query-options– http://www.radb.net/support/query2.php

whois -h whois.apnic.net -K 2406:6400::/32

whois -h whois.radb.net ‘!iAS-APNICTRAINING’

Whois & IRR Database

12This document is uncontrolled when printed. Before use, check the APNIC electronic master

document to verify that this is the current version.

• APNIC whois database also works as IRR database• Integrated APNIC whois database & Internet Routing

Registry

IRR

APNIC whoisIP, ASNs, reverse

domains, contacts, maintainers etc

routers, routing policy, filters, peers etc

Internet Resources & Routing Information

1/18/17

7

RPSL

• Routing Policy Specification Language• RPSL is object oriented

– These objects are registered in the Internet Routing Registry (IRR)– route, autonomous system, router, contact and set objects

• RIPE-81 was the first language deployed in the Internet for specifying routing policies– It was later replaced by RIPE-181– RPSL is a replacement for the RIPE-181 or RFC-1786– RPSL addresses RIPE-181's limitations

13This document is uncontrolled when printed. Before use, check the APNIC electronic master

document to verify that this is the current version.

What is RPSL

• Describes things interesting to routing policy – Prefixes – AS Numbers – Relationships between BGP peers – Management responsibility

• For more about RPSL– RFC-1786: RIPE-181 – RFC-2622: Routing Policy Specification Language – RFC-2650: Using RPSL in Practice – RFC-2726: PGP Authentication for RIPE Database Updates – RFC-2725: Routing Policy System Security – RFC-2769: Routing Policy System Replication – RFC-4012: Routing Policy System Replication next generation

14This document is uncontrolled when printed. Before use, check the APNIC electronic master

document to verify that this is the current version.

1/18/17

8

RPSL Objects

• RPSL objects are similar to RIPE-181 objects• Objects

– set of attributes

• Attributes– mandatory or optional– values: single, list, multiple

• Class “key”– set of attributes– usually one attribute has the same name as the object’s class– uniquely identify each object

• Class “key” = primary key – must be specified first

15This document is uncontrolled when printed. Before use, check the APNIC electronic master

document to verify that this is the current version.

RPSL Attributes

• Case insensitive • Value of an attribute has a type

– <object-name> – <as-number>– <ipv4-address> – <ipv6-address> – <address-prefix> – etc

• Complete list of attributes and types in RFC 2622– https://www.rfc-editor.org/rfc/rfc2622.txt

16This document is uncontrolled when printed. Before use, check the APNIC electronic master

document to verify that this is the current version.

1/18/17

9

APNIC Database Objects and Routing Registry Objects

17This document is uncontrolled when printed. Before use, check the APNIC electronic master

document to verify that this is the current version.

OBJECT PURPOSEperson Technical or administrative contacts responsible for an objectrole Technical or administrative contacts represented by a role,

performed by one or more peopleInetnum / inet6num

Allocation or assignment of IPv4 / IPv6 address space

aut-num Registered holder of an AS number and corresponding routing policy

route / route6 Single IPv4/IPv6 route injected into the Internet routing meshmntner Authorized agent to make changes to an objectas-set Collect together Autonomous Systems with shared propertiesroute-set Defines a set of routes prefixesfilter-set Defines a set of routes that are matched by a filter expression

Import and Export Attributes

18This document is uncontrolled when printed. Before use, check the APNIC electronic master

document to verify that this is the current version.

• You can document your routing policy in your aut-numobject in the APNIC Database: – Import lines describe what routes you accept from a neighbor and

what you do with them– Export lines describe which routes you announce to your neighbor

1/18/17

10

Routing Policy Scenarios

19This document is uncontrolled when printed. Before use, check the APNIC electronic master

document to verify that this is the current version.

Internet

Transit Provider

You

AS131107 DownstreamCustomer

AS17821

AS4608

aut-num: AS17821

import: from AS4608 accept ANYexport: to AS4608 announce AS17821 AS131107

import: from AS131107 accept AS131107export: to AS131107 announce ANY

import: from AS65543 accept AS65543export: to AS65543 announce AS17821 AS131107

AS65543

Peer

RPSL Tools

• IRRToolkit (written in C++)– http://irrtoolset.isc.org/

• Rpsltool (perl, using Template::Toolkit)– http://www.linux.it/~md/software

• IRR Power Tools (PHP)– http://sourceforge.net/projects/irrpt/

• BGPQ3 (C)– http://snar.spb.ru/prog/bgpq3/

• Filtergen (Level 3)– Online tool using whois protocol– whois -h filtergen.level3.net RIPE::ASxxxx

20This document is uncontrolled when printed. Before use, check the APNIC electronic master

document to verify that this is the current version.

1/18/17

11

Use of RPSL

• Use RtConfig to generate filters based on information stored in our routing registry– Avoid filter errors (typos)– Filters consistent with documented policy (need to get policy correct

though)– Engineers don’t need to understand filter rules (it just works :-)

• Some providers have own tools.

21This document is uncontrolled when printed. Before use, check the APNIC electronic master

document to verify that this is the current version.

IRRToolSet : Installation

• Dependency (Debian / Ubuntu)

• Installation

22

# wget ftp://ftp.isc.org/isc/IRRToolSet/IRRToolSet-5.0.1/irrtoolset-5.0.1.tar.gz# tar –zxvf irrtoolset-5.0.1.tar.gz# cd irrtoolset-5.0.1# ./configure# make# make install

# apt-get install build-essential libtool subversion bison flex libreadline-dev autoconf automake

For details : http://irrtoolset.isc.org/wiki/IRRToolSetInstallation

1/18/17

12

RtConfig command line options

• Defaults to using RADB – -h whois.ra.net / whois.radb.net– -p 43– Default protocol irrd

• For other RIR use protocol bird– -protocol bird/ripe

• Defaults to “cisco” style output– -config cisco / -config junos

• -s <list of IRR sources> – -s APNIC,RADB,RIPE

23

RtConfig Syntax

• import / export pair for each link; syntax

• Takes other command also

• And many more. But best thing to look

24

@RtConfig [import/export] <yourASN> <yourRouterIP> <neighbourASN> <neighbourRouterIP>

@RtConfig configureRouter <inet-rtr-name> @RtConfig static2bgp <ASN-1> <rtr-1> @RtConfg access_list filter <filter>

man rtconfig

1/18/17

13

IRRToolSet Cisco Examplebash-3.2$ rtconfig -protocol bird -config cisco -h whois.apnic.net

rtconfig> @RtConfig import AS17821 2406:6400:10::1 AS65001 2406:6400:10::2!no ipv6 access-list ipv6-500ipv6 access-list ipv6-500 permit 2406:6400:8000::/48 anyipv6 access-list ipv6-500 deny any any!no ip as-path access-list 500ip as-path access-list 500 permit ^(_65001)+$

<output truncated>

router bgp 17821!neighbor 2406:6400:10::2 remote-as 65001address-family ipv4no neighbor 2406:6400:10::2 activateaddress-family ipv6 unicastneighbor 2406:6400:10::2 activateneighbor 2406:6400:10::2 route-map AS65001-IN inexit

25

IRRToolSet JunOS Examplebash-3.2$ rtconfig -protocol bird -config junos -h whois.apnic.net

rtconfig> @RtConfig import AS17821 2406:6400:10::1 AS65001 2406:6400:10::2policy-options {

community community-1 members [17821:65001];as-path as-path-1 "( 65001)+";

<output truncated>

protocols {bgp {

group peer-2406:6400:10::2 {type external;peer-as 65001;neighbor 2406:6400:10::2 {

import policy_65001_1 ;family inet6 {

unicast;}

}}

}}

26

1/18/17

14

Getting the complete picture

• Automation relies on the IRR being complete– Not all resources are registered in an IRR– Not all information is correct

• Small mistakes can have a big impact– Check your output before using it

• Be prepared to make manual overrides– Help others by documenting your policy

27This document is uncontrolled when printed. Before use, check the APNIC electronic master

document to verify that this is the current version.

RPSL in summary

28This document is uncontrolled when printed. Before use, check the APNIC electronic master

document to verify that this is the current version.

1. Define Routing Policy 2. Create IRR Object/Objects

3. Run RtConfig to generate config 4. Push config to router/routers

1/18/17

15

Questions

• Please remember to fill out the feedback form– https://www.surveymonkey.com/r/a

pnic-20170118-eL2

• Slide handouts will be available after completing the survey

29

APNIC Helpdesk Chat

1/18/17

16

Thank You!END OF SESSION

31

Issue Date:

Revision:

www.facebook.com/APNIC

www.twitter.com/apnic

www.youtube.com/apnicmultimedia

www.flickr.com/apnic

www.weibo.com/APNICrir